Advice and news for managers who oversee e-commerce, customer service, and social media web assets

Menu

Category Archives: security

The G-folks are going to be putting a weighted value on site security in website rankings in their search engines. The say it will be ‘light’ — at least at first — and probably affect most sites not at all or only slightly. But the ultimate goal is to spur adoption of HTTPS secure socket layer encryption across the web in the aim of improving security of login and other transactions.

In the wake of a story from an ex-Oracle engineer that the database megacorp put in a pricey upgrade option that is automatically enabled and far too easy to invoke ‘accidentally,’ the O has issued an explainer… turns out the feature is, in their words, “not a bolt-on technology” — and it’s not automatically enabled, users must go through a whole two steps to spend their $23k per CPU.

According to ZDNet, the problem might have been easily contained if it weren’t for several possibly aggravating factors:

This bug [is] not a problem with OpenSSL’s inherent design. It’s an implementation problem. That is to say it the result of a programming mistake. There is already a fix available for the problem for the 1.01 program in OpenSSL 1.0.1g. Work is proceeding rapidly for a pair of the 1.02-beta line.

That’s bad enough. but what really has some operating system and security companies ticked is that OpenSSL and others were hard at work at delivering the patched versions that would have limited the problem’s possible use by blackhat hackers, CloudFlare, a Web security company, revealed in a blog posting details about the security hole and that they’ve fixed the bug. They appear to have used the methods described by OpenSSL. Unfortunately, for everyone else, these methods were not ready for broad deployment.

According to an article in Ars Technica, security experts at several companies are warning of a widespread attempt to compromise and take over WordPress administration accounts. The bad guys are using a separate botnet (presumably one comprised of compromised home machines) to run brute force attacks on WordPress installations across the web.

According to CloudFlare’s Prince, the distributed attacks are attempting to brute force the administrative portals of WordPress servers, employing the username “admin” and 1,000 or so common passwords. He said the attacks are coming from tens of thousands of unique IP addresses, an assessment that squares with the finding of more than 90,000 IP addresses hitting WordPress machines hosted by HostGator.

Because of the relatively basic nature of the attack, those who change the admin name from the default (“admin”) and use secure passwords. (It’s best to follow WordPress’s suggestions on password security, or to use some other relatively rigorus system for deriving your password.*)

Still, it’s never too late to check your own password. Hackers halfway around the world probably won’t know your dog’s name or the name of your high school team, but your ex-spouse, co-workers and many more folks just might. And if they want to play a ‘little trick’ on you, if you have obvious user names and passwords, you make that easy.

(Don’t forget the fellow who got federal time for ‘hacking’ Sarah Palin’s email account simply found her email address and then guessed her password, which, if we recall correctly, was something really obvious like a pet or kid name. That it was easy didn’t keep him out of federal prison, though.)

You can be assured that TKM WebWorks will be monitoring this situation and, as always, working to keep your sites working and uncompromised, whether they use the WordPerfect CMS or not.

* A good, hard to crack, all-but-impossible-to-guess password doesn’t have to be hard to remember. You can use random combinations of letters, numbers, and symbols, but that means you’ll probably have to cut and paste it — unless, perhaps you create a ‘mnemonic’ acronym — a password that ‘stands’ for a phrase. For instance, you could use nitt4agm2c2taotc — almost impossible to guess (or remember) unless you know it stands for now is the time for all good men to come to the aid of the country. (Obviously, you don’t want to use such a phrase that will pop to the lips of the many. You want one that you can remember but that isn’t ‘obvious.’)

Another system for creating quite secure passwords is to simply create a phrase of four or more unrelated words. (Of course you can also stick numbers or other characters in such a phrase, making it even harder to guess.) Such pass phrases may not be quite as secure as random strings of characters, numbers, and symbols, but they nonetheless require long periods of dictionary attack to crack. (So-called dictionary attacks, which take valuable resources and considerable processing time and so are typically the province of targeted attacks — not the sort of random, low-hanging fruit collection of the above-referenced WP attack.

This article from the UK’s Telegraph highlights the problem many businesses will face a year from now when Microsoft finally pulls remaining support from Windows XP — which still dominates the computer OS scene almost a dozen years since its release and five years since its intended successor, Windows Vista, was released. (To the sound of one hand clapping.)

Microsoft learned the Vista lesson, delivered a solid, well-liked OS with Windows 7, but came down with a case of institutional amnesia and repeated the Vista fiasco with Windows 8, which has alienated both consumers and, particularly enterprise users, not to mention computer usability experts, who were aghast at its grafting of a simplistic and crippled tablet interface over the top of Windows, obscuring the familiar aspects of the operating system and hobbling multitasking users with a one-thing-at-a-time approach that bizarrely turns its back on the reason Windows was created. (Determined users can find their way to the more familiar legacy aspects of the OS, and, can, indeed, engage in the sort of multitasking, multi-document work that put Windows on the map in the first place — but many users are totally flummoxed by their experiences with Windows 8.)

Microsoft had announced earlier support cut-offs, but was forced to push them back when enterprise and consumer customers stayed away from Vista in droves. Windows 7 went over considerably better — power users and geeks loved it — but the onus of the disastrous Vista release lingered. And then, with the MS board of directors obviously demanding more “Apple-like” customer lock-in and exploitation, MS dove headfirst into the sea of self-destruction that is Windows 8.

Oracle, the company that bought Java inventors Sun Computing in order to gain control of Java and other software developed in large part by the Open Source community, has been an exceptionally poor steward of those important franchises.

Last year, an unfixed vulnerability in the version of Java that Apple’s Mac operating system uses led to the deepest botnet penetration of any computer platform in history. After that, Apple wised up and found a way to quickly add Java to the blacklist of malware and insecure programs that the Mac OS won’t allow to run. And they needed it.

Unfortunately, while Apple was able to throw the kill switch on Java for the duration of the security problem, the rest of the computing world that uses Java has remained vulnerable for months since Oracle was notified of the latest zero-day vulnerability.

It’s become so bad the Department of Homeland Security has had to issue a warning to computer users around the world to not use Java because its unfixed vulnerabilities made their computers a knockover for a takeover.

Oracle had finally announced the fix would be available on Tuesday but rushed its release forward to today.

But many industry observers — including Forbes Magazine — think it’s one too many security lapses by Oracle. Their recommendation: nuke Java before it is used to nuke you.

From Forbes: “Russian security firm Kaspersky reported in its third quarter analysis of security threats that Java was exploited in fully 56% of all known attacks that took advantage of vulnerabilities in software.”

That’s 56% of ALL known attacks from a software utility used by only a tiny, tiny minority of websites.

But… it is cause for concern that there is yet another ‘drive-by’ malware attack on the Macintosh’s OS X operating system — fresh on the heels of the massive Flashback infestation that created a ‘botnet’ (robot network or zombie-net) of over 550,000 Macintoshes that had been taken over by that Java-related malware. Particularly troubling in that case was the fact that even though Java publishers Oracle released a fix for the vulnerability in January, it took Apple more than two months to implement the fix and patch the OS X system.

(Apple elects to handle updates to their Java engine themselves. Which, obviously, created a long window during which the malware was able to spread to over a half million Macs — the greatest penetration — as measured by percentage of a given computer platform — ever.)

Part of the problem for Apple is that they coasted on what they claimed were their laurels with regard to security for so long. OS X, they insisted, had almost never been the target of a large, succesful attack — even stretching so far as to claim that was because of ‘superior security’ on the Mac’s OS X. Sadly, that last is simply not true, as MacWorld’s own Rich Mogull pointed out last year when he stated that Windows 7 was more secure than OS X — to the predictable howls of Mac evangelists.

Now, of course, with Flash back — the most ‘successful’ penetration (measured by percentage) of any modern OS ever — there’s little rational argument that OS X seriously needs the kind of security overhaul that Microsoft performed on Windows — in particular the ‘anonymization’ of critical OS code libraries. Windows now uses what amounts to a dynamic naming system to ‘hide’ critical OS components from malware, which has proved very successful. Mac security specialists like Mogull have been urging Apple to do the same and it appears that they have, indeed been working to bring OS X up to contemporary security standards.

MacWorld doesn’t have news of this newest Mac trojan, currently known by the euphonically challenged names, Backdoor.OSX.SabPub.a and SX/Sabpab-A — but ZDNet is on the tip with this article on the latest set of threats (same as linked at top of article)…

The remote C&C website appears to be hosted on the free dynamic DNS service onedumb.com. Interestingly, the IP address in question has been used in other targeted attacks (known as Luckycat) in the past. This particular attack may been launched through e-mails containing a URL pointing to two websites hosting the exploit, located in Germany and the U.S.

The Trojan may have been created on March 16, 2012. It was compiled with debug information, meaning analyzing it wasn’t hard, but more importantly this seems to suggest it is not the final version. You can check for infection by looking for the following files:

The Java exploits appear to be pretty standard, but have been obfuscated using ZelixKlassMasterto avoid detection by anti-malware products. The low number of infections and its backdoor functionality indicates that it is most likely used in targeted attacks.

MySQL… It’s the open source database that runs much of the web. From WordPress blogs (like this one) to hundreds of thousands of e-commerce and other sites, MySQL has proved to be not just a solid performer that could compete with expensive alternatives like MS SQL Server or Oracle’s own database system, but a much desired — and even loved — icon of the Open Source movement.

So, when Oracle bought Sun Microsystems in 2010 to acquire their open source projects, Java and MySQL, many in the developer community — and particularly the Open Source community — were gut-sick with worry that Oracle — not known for their lovability by a long stretch — would either destroy the project or proprietize it, removing it from the Open Source community’s loving embrace and charging big bucks for it. Indeed, Oracle did add several proprietary — and quite expensive extensions not long after.

Still, all in all — and so far — things aren’t looking too disastrous.

In fact, recent changes announced by Oracle suggest that MySQL’s performance will be boosted substantially by changes Oracle’s developer’s have made to its codebase.

Summary: Malware authors will do just about anything to fool you into installing their software. A popular target is search engine advertising, which one gang is using on Microsoft’s search results. In a separate attack, Mac users are being targeted by a Trojan that mimics a Flash installer.

Several hours after I reported that ad to Microsoft, it was removed, and a spokesperson told me that Bing’s ad network will “continue to directly work with our agency media partners to verify and confirm any suspicious orders.”

Looks like there’s more work to do.

This morning, I’ve found multiple ads on Bing that go through seemingly innocent intermediary sites to the same malicious server in Russia…

But the bad guys no longer play favorites — there are a new round of drive-by attacks that can infect Safari on both OS X and Windows — just by tricking you into visiting a malware serving site — time to UPDATE!